Microsoft Averts Mass Cloud Takeover Due to Azure Flaw

Microsoft narrowly avoided a vulnerability that could have led to the mass compromise of its cloud customers: Dutch researcher Dirk-jan Mollema uncovered two interrelated flaws in the Entra ID identity management service (formerly Azure Active Directory), which, when combined, allowed an attacker to gain global administrator privileges and effectively seize control of any Azure tenant.

The first issue involved a little-known mechanism for issuing internal tokens—so-called Actor Tokens, used for service-to-service authentication. The second stemmed from the legacy Azure AD Graph API, which failed to properly validate the tenant from which a request originated and therefore accepted tokens from other tenants. Together, these weaknesses enabled an attacker with a test or trial account to request tokens, impersonate another user, and create a global administrator in a foreign tenant—with the power to alter configurations, add users, and manage Entra ID subscriptions and applications. The vulnerability has been assigned CVE-2025-55241.

Mollema reported his findings to the Microsoft Security Response Center on July 14. The company promptly launched an investigation, deployed fixes within days, and confirmed full remediation by July 23, with additional safeguards introduced in August. In official statements, Microsoft noted enhancements to token validation logic and an accelerated retirement of legacy protocols under its Secure Future Initiative. Internal reviews found no evidence of real-world exploitation.

Experts emphasize that such flaws in identity providers rank among the most dangerous, as they can bypass conditional access policies, logging mechanisms, and multi-factor authentication, thereby unlocking entry to all services tied to Entra ID—Azure, Exchange, SharePoint, and beyond. The discovery evokes parallels with the Storm-0558 incident in 2023, when a compromised signing key allowed attackers to mint tokens and access cloud email systems. Unlike that case, however, this new vulnerability relied only on manipulating internal token types and exploiting a deprecated API—making it potentially easier to weaponize under certain conditions.

Mollema’s discovery and Microsoft’s swift response underscore the critical importance of retiring legacy components and continuously auditing token issuance mechanisms. As the backbone of trust for countless organizations, the cloud identity ecosystem cannot afford foundational errors, which carry risks ranging from widespread data compromise to the complete takeover of managed services.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy